Privacy Policy
Last updated: 20 June 2026
This Privacy Policy explains how One Big Fab Family ("we", "us", "our") collects, uses, and protects your personal data when you use our website and services. We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR), the UK GDPR, and other applicable data-protection laws.
1. Who we are (data controller)
One Big Fab Family operates this family-genealogy website. For the personal data described here, One Big Fab Family is the data controller. You can reach us at any time through our contact page for any privacy question or to exercise your rights.
2. The data we collect
- Account data - your name, email address, and a securely hashed password.
- Family-tree content - the people, relationships, dates, places, photos, and notes you choose to add. This may include personal data about your relatives.
- Billing data - your billing address and country. Card details are entered directly with our payment processor (Stripe); we never see or store your full card number.
- Technical data - your IP address, browser type, and approximate country (used for security, fraud-prevention, and to show prices in your local currency).
- Consent records - your cookie choices, with a timestamp and a salted (non-reversible) hash of your IP, kept as proof of consent.
3. How and why we use it (legal bases)
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Create and run your account; provide the family-tree service | Performance of a contract |
| Process subscription payments and tax | Performance of a contract; legal obligation |
| Security, fraud-prevention, abuse-prevention (CAPTCHA, rate-limiting) | Legitimate interests |
| Local-currency pricing from approximate location | Legitimate interests |
| Optional analytics and marketing cookies | Consent |
| Sending the contact-form reply you request | Consent / legitimate interests |
4. Cookies
We use strictly necessary cookies (for login, security, and checkout) which do not require consent. We only set optional analytics or marketing cookies if you agree via our cookie banner. You can change your choice at any time by clearing the cookie_consent cookie or contacting us.
5. Who we share data with (processors)
| Provider | Purpose |
|---|---|
| Stripe | Payment processing and tax calculation |
| Cloudflare (Turnstile) | Bot / spam protection on forms |
| ip-api.com | Approximate country from IP for local pricing (only if the server cannot determine it locally) |
| Gravatar (Automattic) | Optional profile avatar from your email hash |
| Our hosting & email provider | Running the site and sending transactional email |
We do not sell your personal data. Where a provider is outside the EU/EEA, transfers are protected by appropriate safeguards such as the EU Standard Contractual Clauses.
6. How long we keep it
We keep your account and family-tree data for as long as your account is active. Payment and tax records are kept for the period required by law (typically up to 7-10 years). When you delete your account, your account and tree data are erased immediately; anonymised consent and accounting records may be retained where the law requires.
7. Your rights
Under the GDPR you have the right to access, rectify, erase, restrict, and port your data, to object to certain processing, and to withdraw consent at any time. You can exercise the main rights yourself from your Account & privacy page - download a full copy of your data, or permanently delete your account. For any other request, contact us. You also have the right to lodge a complaint with your local data-protection authority.
8. Data about your relatives
When you add living relatives to a tree, you are responsible for having a lawful basis to do so. We automatically keep details of living people private on public views. If someone asks to be removed from a tree, please contact us and we will help.
9. Security
We protect your data with HTTPS encryption, hashed passwords, encrypted two-factor secrets, strict access controls, security headers, and bot protection. No system is perfectly secure, but we take reasonable measures to keep your data safe.
10. Children
Accounts are for adults. We do not knowingly create accounts for children under 16. Family trees may contain information about children added by an adult account holder, kept private by default.
11. Changes
We may update this policy. We will post the new version here with an updated date and, for significant changes, ask for renewed consent.
This document is provided for transparency and is not legal advice. For a legally binding policy tailored to your jurisdiction, please have it reviewed by a qualified lawyer.